From da9bb9e2ed0472a7b62a85bf001b227c9c3126d2 Mon Sep 17 00:00:00 2001 From: Hua Liu <58683130+liuh-80@users.noreply.github.com> Date: Fri, 26 Jan 2024 16:00:00 +0800 Subject: [PATCH] [TACACS] Fix when set TACACS to "tacacs+, local" user can run blocked command with local permission issue. (#17749) Fix when set TACACS to "tacacs+, local" user can run blocked command with local permission issue. #### Why I did it When set TACACS to "tacacs+, local", user still can run a blocked command with local permission. ##### Work item tracking - Microsoft ADO: 26399545 #### How I did it Fix code to reject command when authorized failed from TACACS server side. #### How to verify it Pass all UT. ### Description for the changelog Fix when set TACACS to "tacacs+, local" user can run blocked command with local permission issue. --- src/tacacs/bash_tacplus/bash_tacplus.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/tacacs/bash_tacplus/bash_tacplus.c b/src/tacacs/bash_tacplus/bash_tacplus.c index 82f57c724c7d..85756de31981 100644 --- a/src/tacacs/bash_tacplus/bash_tacplus.c +++ b/src/tacacs/bash_tacplus/bash_tacplus.c @@ -471,8 +471,9 @@ int on_shell_execve (char *user, int shell_level, char *cmd, char **argv) fprintf(stdout, "%s not authorized by TACACS+ with given arguments, not executing\n", cmd); break; default: + // when command reject by server, authorization will failed immediately fprintf(stdout, "%s authorize failed by TACACS+ with given arguments, not executing\n", cmd); - break; + return ret; } if ((tacacs_ctrl & AUTHORIZATION_FLAG_LOCAL) == 0) {